CN107820234B

CN107820234B - Network roaming protection method, related equipment and system

Info

Publication number: CN107820234B
Application number: CN201610826048.7A
Authority: CN
Inventors: 吴�荣; 张博; 甘露
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-09-14
Filing date: 2016-09-14
Publication date: 2021-02-23
Anticipated expiration: 2036-09-14
Also published as: US20200322798A1; EP3496436B1; EP3496436A1; WO2018049865A1; US20190215904A1; US11109230B2; US10743368B2; EP3496436A4; CN107820234A

Abstract

The embodiment of the invention discloses a network roaming protection method, related equipment and a system, wherein the method comprises the following steps: the method comprises the steps that a visit session management device receives a first session establishment request containing a first security requirement set and sent by User Equipment (UE); the visit session management equipment acquires a target security policy, wherein the target security policy is obtained by processing the first security requirement set and the second security requirement set through a preset rule; the visit session management equipment sends the target security policy to the UE so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway. By adopting the invention, the UE can still safely transmit data after network roaming occurs.

Description

Network roaming protection method, related equipment and system

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a network roaming protection method, a related device, and a system.

Background

In the future, the fifth Generation mobile communication technology (5th-Generation, abbreviated as 5G) network is developing towards the direction of network diversification, broadband, integration and intelligence. With the popularization of various User Equipments (UEs), the mobile data traffic will show explosive growth. For example, when the UE in the 5G technology transmits data in the Network, the data security does not need to be verified between the UE and AN Access Network (AN) device, where the AN is used to forward data between the UE and a User Plane Gateway (UP-GW), and the task of verifying the data security is performed by the UE and the UP-GW in the Network, that is, the secure transmission of data is protected end to end between the UE and the UP-GW.

Fig. 1 is a schematic flow diagram of a currently studied 5G Network roaming process, which relates to roaming between different Public Land Mobile Networks (PLMNs), where a Home PLMN (HPLMN) is a PLMN to which the ue belongs, and a Visited PLMN (VPLMN) is a PLMN to which the ue accesses. The network elements required for executing the process include UE, AN, Session Management equipment (SM), UP-GW, Security Policy Controller (SPCF), etc., where SM is a Session Management equipment that can be called a visited network as V-SM, SM is a Session Management equipment of a home network as H-SM, UP-GW is a user plane gateway of the visited network as VUP-GW, and UP-GW is a Session Management equipment of the home network as HUP-GW for convenience of distinguishing. The roaming process is as follows:

step 1: the UE sends a session setup request to the session management device V-SM in the visited network.

Step 2: and after receiving the session establishment request, the V-SM determines a session management device H-SM which is in butt joint with the UE in a home network according to the information carried by the UE.

And step 3: the V-SM selects a user plane gateway VUP-GW in the visited network.

And 4, step 4: the V-SM interacts with the selected VUP-GW to establish a user-plane path.

And 5: the V-SM sends a session establishment request to the H-SM.

Step 6: the H-SM interacts with a security policy controller in the home network to obtain information needed to establish a new session, e.g., subscription data, traffic data, etc.

And 7: the H-SM determines the user plane gateway, HUP-GW, that provides access for the UE.

And 8: the H-SM interacts with the HUP-GW to establish a user plane path.

And step 9: the H-SM sends a session establishment response to the V-SM.

Step 10: the V-SM applies for resources required for establishing the session to the AN after receiving the session establishment response.

Step 11: and the V-SM interacts with the VUP-GW according to the acquired resources required for establishing the session to update the user plane path.

Step 12: and the V-SM and the UE perform interaction to complete the establishment of the session.

After the above procedure is executed, the UE establishes a new session (session) in the VPLMN, and how to ensure the secure transmission of data in the new session is a problem that is being studied by those skilled in the art.

Disclosure of Invention

The embodiment of the invention discloses a network roaming protection method, related equipment and a system, which can ensure that UE can still safely transmit data after network roaming occurs.

In a first aspect, an embodiment of the present invention provides a network roaming protection method, where the method includes:

the method comprises the steps that a visit session management device receives a first session establishment request which is sent by User Equipment (UE) and contains a first security requirement set, wherein the first security requirement set contains security requirements of the UE and security requirements of a target service, the security requirements define at least one of an acceptable key algorithm, an acceptable key length and an acceptable key updating period, the target service is a service currently executed by the UE, and the visit session management device is a device for managing sessions in a visit network of the UE;

the visited session management device obtains a target security policy, wherein the target security policy is obtained by processing the first security requirement set and a second security requirement set through a preset rule, the second security requirement set comprises at least one of a security requirement of a visited gateway and a security requirement of an attribution gateway, the visited gateway is a user plane gateway used when the UE is accessed to the visited network, and the attribution gateway is a user plane gateway used when the UE is accessed to the attribution network of the UE;

the visit session management equipment sends the target security policy to the UE so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway.

By executing the above steps, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is further processed by referring to a rule defined by the target security policy to generate a target shared key, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the second security requirement set includes security requirements of the visited gateway; the visiting session management device acquires a target security policy, and the method comprises the following steps: the visited session management device sends the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device, or the visited session management device generates the target security policy according to the first security requirement set and the second security requirement set; the visiting session management device prestores the security requirement of the visiting gateway or the visiting session management device acquires the security requirement of the visiting gateway from the visiting gateway.

With reference to the first aspect, in a second possible implementation manner of the first aspect, the second security requirement set includes security requirements of the home gateway; the visiting session management device acquires a target security policy, and the method comprises the following steps: the visiting session management device sends a second policy request message to a home session management device, wherein the second policy request message contains a first security requirement set, and the home session management device is a device for managing sessions in a home network of the UE; the visited session management device receives a target security policy sent by the home session management device, where the target security policy is generated by triggering a device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visiting session management device sends a second session establishment request to a home session management device so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the visited session management device receives a target shared key sent by the home session management device, the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; the visit session management device sends the target shared key to the visit gateway.

With reference to the second possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visit session management device receives the reference shared key sent by the key management device in the visit network and sends the reference shared key to the home session management device; the visiting session management device receives the target shared key sent by the home session management device and sends the target shared key to the visiting gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

With reference to the first possible implementation manner of the first aspect or the second possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visiting session management device sends a second session establishment request to a home session management device so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the visiting session management device receives the reference shared key which is forwarded by the home session management device and is sent by the key management device in the home network; the visit session management device generates the target shared key according to the target security policy and the reference shared key, and sends the target shared key to the visit gateway.

With reference to the first possible implementation manner of the first aspect or the second possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived according to the basic key of the UE in the visited network, the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visit session management equipment receives the reference shared key sent by the key management equipment in the visit network; the visit session management device generates the target shared key according to the target security policy and the reference shared key, and sends the target shared key to the visit gateway.

With reference to the first possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visiting session management device sends a second session establishment request to a home session management device so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy; the visited session management device receives a target shared key sent by the home session management device, the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; the visit session management device sends the target shared key to the visit gateway.

With reference to the first possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visit session management equipment receives the reference shared key sent by the key management equipment in the visit network, and sends the reference shared key and the target security policy to the home session management equipment; the visiting session management device receives the target shared key sent by the home session management device and sends the target shared key to the visiting gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

With reference to the first aspect, or the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, or the third possible implementation manner of the first aspect, or the fourth possible implementation manner of the first aspect, or the fifth possible implementation manner of the first aspect, or the sixth possible implementation manner of the first aspect, or the seventh possible implementation manner of the first aspect, or the eighth possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, the target security policy is obtained by processing the first security requirement set, the second security requirement set and the third security requirement set through preset rules, the third security requirement set includes at least one of security requirements of a server providing the target service and security requirements of a subscription server of the UE.

In a second aspect, an embodiment of the present invention provides a network roaming protection method, where the method includes:

user Equipment (UE) sends a first session establishment request containing a first security requirement set to visited session management equipment, wherein the first security requirement set contains security requirements of the UE and security requirements of a target service, the security requirements define at least one of an acceptable key algorithm, an acceptable key length and an acceptable key updating period, the target service is a service currently executed by the UE, and the visited session management equipment is equipment for managing a session in a visited network of the UE;

the UE receives a target security policy sent by the visited session management equipment, wherein the target security policy is obtained by processing the first security requirement set and a second security requirement set through a preset rule, the second security requirement set comprises at least one of the security requirement of a visited gateway and the security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE is accessed to the visited network, and the home gateway is a user plane gateway used when the UE is accessed to the home network of the UE;

the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network;

and the UE protects the safe transmission of data between the UE and the visit gateway through the target shared secret key.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network; before the UE generates the target shared key based on the reference shared key according to the rule defined by the target security policy, the method further includes: the UE performs mutual authentication with the key management equipment in the home network to generate a basic key of the UE in the home network.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the reference shared key is a basic key of the UE in the visited network, or a shared key derived according to the basic key of the UE in the visited network; before the UE generates the target shared key based on the reference shared key according to the rule defined by the target security policy, the method further includes: the UE and the key management equipment in the visit network carry out bidirectional authentication to generate a basic key of the UE in the visit network, and the key management equipment acquires the subscription information of the UE from the network element in the home network in advance for bidirectional authentication.

In a third aspect, an embodiment of the present invention provides a visited session management device, where the visited session management device includes:

a first receiving unit, configured to receive a first session establishment request including a first security requirement set sent by a user equipment UE, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

an obtaining unit, configured to obtain a target security policy, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE;

a first sending unit, configured to send the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway.

By operating the above units, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is further processed by referring to a rule defined by the target security policy to generate a target shared key, where the reference shared key is a key generated by or further derived from bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

With reference to the third aspect, in a first possible implementation manner of the third aspect, the second security requirement set includes security requirements of the visited gateway; the acquiring unit is specifically configured to send the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device, or the visited session management device generates the target security policy according to the first security requirement set and the second security requirement set; the visiting session management device prestores the security requirement of the visiting gateway or the visiting session management device acquires the security requirement of the visiting gateway from the visiting gateway.

With reference to the third aspect, in a second possible implementation manner of the third aspect, the second security requirement set includes security requirements of the home gateway; the acquisition unit is specifically configured to: sending a second policy request message to a home session management device, where the second policy request message includes a first security requirement set, and the home session management device is a device for managing a session in a home network of the UE; and receiving a target security policy sent by the home session management device, where the target security policy is generated by triggering the device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

With reference to the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management apparatus further includes: a second sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives a first session establishment request that includes a first security requirement set and is sent by a user equipment UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; a second receiving unit, configured to receive a target shared key sent by the home session management device, where the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by a key management device in the home network; and a third sending unit, configured to send the target shared key to the visited gateway.

With reference to the second possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived according to the basic key of the UE in the visited network, the visited session management apparatus further includes: a first triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication; a third receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key to the home session management device; a fourth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

With reference to the first possible implementation manner of the third aspect or the second possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management device further includes: a fourth sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives the first session establishment request including the first security requirement set sent by the UE, so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; a fifth receiving unit configured to receive the reference shared key transmitted by the key management apparatus in the home network and forwarded by the home session management apparatus; and the first generating unit is used for generating the target shared key according to the target security policy and the reference shared key and sending the target shared key to the visit gateway.

With reference to the first possible implementation manner of the third aspect or the second possible implementation manner of the third aspect, in a sixth possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived according to the basic key of the UE in the visited network, the visited session management device further includes: a second triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication; a sixth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network; and the second generating unit is used for generating the target shared key according to the target security policy and the reference shared key and sending the target shared key to the visit gateway.

With reference to the first possible implementation manner of the third aspect, in a seventh possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management apparatus further includes: a fifth sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives the first session establishment request including the first security requirement set sent by the UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy; a seventh receiving unit, configured to receive a target shared key sent by the home session management device, where the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by a key management device in the home network; and a sixth sending unit, configured to send the target shared key to the visited gateway.

With reference to the first possible implementation manner of the third aspect, in an eighth possible implementation manner of the third aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived according to the basic key of the UE in the visited network, the visited session management apparatus further includes: a third triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication; an eighth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device; a ninth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

With reference to the third aspect, or the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, or the third possible implementation form of the third aspect, or the fourth possible implementation form of the third aspect, or the fifth possible implementation manner of the third aspect, or the sixth possible implementation manner of the third aspect, or the seventh possible implementation manner of the third aspect, or the eighth possible implementation manner of the third aspect, in a ninth possible implementation manner of the third aspect, the target security policy is obtained by processing the first security requirement set, the second security requirement set and the third security requirement set through preset rules, the third security requirement set includes at least one of security requirements of a server providing the target service and security requirements of a subscription server of the UE.

In a fourth aspect, an embodiment of the present invention provides a user equipment, where the user equipment includes:

a sending unit, configured to send, by a UE, a first session establishment request including a first security requirement set to a visited session management device, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

a receiving unit, configured to receive a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of an affiliation gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the affiliation gateway is a user plane gateway used when the UE accesses the affiliation network of the UE;

a generating unit configured to generate a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network;

and the transmission unit is used for protecting the safe transmission of the data between the UE and the visit gateway through the target shared secret key.

With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, and the user equipment further includes: a first authentication unit, configured to perform mutual authentication with the key management device in the home network to generate a basic key of the UE in the home network before the generation unit generates a target shared key based on a reference shared key according to a rule defined by the target security policy.

With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the reference shared key is a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the user equipment further comprises: and a second authentication unit, configured to perform bidirectional authentication with the key management device in the visited network to generate a basic key of the UE in the visited network before the generation unit generates the target shared key based on the reference shared key according to the rule defined by the target security policy, where the key management device obtains, in advance, subscription information of the UE from a network element in the home network for bidirectional authentication.

In a fifth aspect, a visited session management device includes a processor, a memory, and a transceiver:

the memory is used for storing data and programs;

the processor calls a program in the memory for performing the following:

receiving, by the transceiver, a first session establishment request including a first security requirement set sent by a user equipment UE, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

acquiring a target security policy, wherein the target security policy is obtained by processing the first security requirement set and a second security requirement set through a preset rule, the second security requirement set comprises at least one of the security requirement of a visited gateway and the security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE is accessed to the visited network, and the home gateway is a user plane gateway used when the UE is accessed to the home network of the UE;

sending, by the transceiver, the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key according to rules defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway.

By executing the above operations, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is further processed by referring to a rule defined by the target security policy to generate a target shared key, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the second security requirement set includes security requirements of the visited gateway; the processor obtains a target security policy, specifically:

sending the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device, or the visited session management device generates the target security policy according to the first security requirement set and the second security requirement set; the visiting session management device prestores the security requirement of the visiting gateway or the visiting session management device acquires the security requirement of the visiting gateway from the visiting gateway.

With reference to the first aspect, in a second possible implementation manner of the first aspect, the second security requirement set includes security requirements of the home gateway; the processor obtains a target security policy, specifically:

sending a second policy request message to a home session management device through the transceiver, the second policy request message including a first security requirement set, the home session management device being a device that manages sessions in a home network of the UE; and receiving a target security policy sent by the home session management device through the transceiver, where the target security policy is generated by triggering a device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the processor receives, through the transceiver, a first session establishment request including a first security requirement set sent by a user equipment UE, the processor is further configured to: sending a second session establishment request to the home session management device through the transceiver so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; receiving, by the transceiver, a target shared key sent by the home session management device, the target shared key being generated by the home session management device according to the target security policy and the reference shared key, the reference shared key being sent by a key management device in the home network; the target shared key is sent to the visited gateway through the transceiver.

With reference to the second possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the processor is further configured to:

triggering a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, wherein the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; receiving the reference shared key sent by the key management device in the visited network through the transceiver, and sending the reference shared key to the home session management device; receiving the target shared key sent by the home session management equipment through the transceiver, and sending the target shared key to the visit gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

With reference to the first possible implementation manner of the first aspect or the second possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the processor receives, through the transceiver, a first session establishment request including a first security requirement set sent by a user equipment UE, the processor is further configured to: sending a second session establishment request to the home session management device through the transceiver so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; receiving, by the transceiver, the reference shared key forwarded by the home session management device and sent by a key management device in the home network; and generating the target shared secret key according to the target security policy and the reference shared secret key, and sending the target shared secret key to the visit gateway.

With reference to the first possible implementation manner of the first aspect or the second possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the processor is further configured to: triggering a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, wherein the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; receiving, by the transceiver, the reference shared key sent by the key management device in the visited network; and generating the target shared secret key according to the target security policy and the reference shared secret key, and sending the target shared secret key to the visit gateway.

With reference to the first possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the processor receives, through the transceiver, a first session establishment request including a first security requirement set sent by a user equipment UE, the processor is further configured to: sending a second session establishment request to the home session management device through the transceiver so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy; receiving, by the transceiver, a target shared key sent by the home session management device, the target shared key being generated by the home session management device according to the target security policy and the reference shared key, the reference shared key being sent by a key management device in the home network; the target shared key is sent to the visited gateway through the transceiver.

With reference to the first possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the processor is further configured to: triggering a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, wherein the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; receiving the reference shared key sent by the key management device in the visited network through the transceiver, and sending the reference shared key and the target security policy to the home session management device; receiving the target shared key sent by the home session management equipment through the transceiver, and sending the target shared key to the visit gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

In a sixth aspect, an embodiment of the present invention provides a user equipment, where the user equipment includes a processor, a memory, and a transceiver:

the memory is used for storing data and programs;

the processor calls a program in the memory for performing the following:

sending a first session establishment request containing a first security requirement set to a visited session management device through the transceiver, where the first security requirement set contains security requirements of the UE and security requirements of a target service, the security requirements defining at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service being a service currently executed by the UE, and the visited session management device being a device that manages sessions in a visited network of the UE;

receiving a target security policy sent by the visited session management device through the transceiver, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of an affiliation gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the affiliation gateway is a user plane gateway used when the UE accesses the affiliation network of the UE;

generating a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network;

and protecting the safe transmission of the data between the UE and the visit gateway through the target shared secret key.

With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network; before the processor generates a target shared key based on the reference shared key according to the rules defined by the target security policy, the processor is further configured to: and performing bidirectional authentication with the key management equipment in the home network to generate a basic key of the UE in the home network.

With reference to the sixth aspect, in a second possible implementation manner of the sixth aspect, the reference shared key is a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; before the processor generates a target shared key based on the reference shared key according to the rules defined by the target security policy, the processor is further configured to: and performing bidirectional authentication with key management equipment in the visited network to generate a basic key of the UE in the visited network, wherein the key management equipment acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication.

In a seventh aspect, an embodiment of the present invention provides a network roaming protection system, where the system includes a visited session management device and a user equipment, where the visited session management device is a visited session management device described in any implementation manner of the third aspect or any implementation manner of the fifth aspect; the user equipment is the user equipment described in any implementation manner of the third aspect or any implementation manner of the fifth aspect.

By implementing the embodiment of the invention, when the UE roams to the visited network, a target security policy is generated through a network element in the home network or the visited network, the target security policy covers the security requirements of some network elements in the home network and the security requirements of some network elements in the visited network, a reference shared key is further processed by referring to a rule defined by the target security policy to generate a target shared key, and the reference shared key is a key generated or further derived by the UE through bidirectional authentication in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

Fig. 1 is a schematic flow chart of network roaming in the prior art;

fig. 2 is a flowchart illustrating a network roaming protection method according to an embodiment of the present invention;

fig. 3A is a flowchart illustrating a network roaming protection method according to another embodiment of the present invention;

fig. 3B is a flowchart illustrating a network roaming protection method according to another embodiment of the present invention;

fig. 3C is a flowchart illustrating a network roaming protection method according to an embodiment of the present invention;

fig. 3D is a flowchart illustrating a network roaming protection method according to another embodiment of the present invention;

fig. 3E is a flowchart illustrating a network roaming protection method according to another embodiment of the present invention;

fig. 3F is a flowchart illustrating a network roaming protection method according to an embodiment of the present invention;

fig. 3G is a flowchart illustrating a network roaming protection method according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a visited session management device according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a user equipment according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of another visiting session management device according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of another user equipment according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a network roaming protection system according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and first, relevant terms and network elements that may be involved in the embodiments of the present invention are described.

The invention relates to the roaming of user equipment among different Public Land Mobile networks (PLMN for short), a Home Network (HPLMN for short) is the PLMN to which the user equipment belongs, and a Visited Network (VPLMN for short) is the PLMN to which the user equipment accesses; a network element in the HPLMN stores subscription information for the user equipment.

User Equipment (English: User Equipment, UE for short): the UE may be an intelligent terminal such as a mobile phone and an intelligent watch, or may also be a communication device such as a server, a gateway, a base station, and a controller, or may also be an Internet of things (IoT) device such as a sensor, an electric meter, and a water meter, or may also be another device that can be accessed to a cellular network.

Mobility Management (English: Mobility Management, abbreviated as MM) network element: the physical entity performing the function of the mobility management network element may subsequently be referred to directly as a mobility management device or MM.

Session Management network element (English: Session Management, SM for short): the session management network element is configured to perform establishment and management of sessions, slices, flows, or bearers, and subsequently, a physical entity that performs a function of the session management network element may be referred to as a session management device or SM. For the convenience of distinction, the session management device in the HPLMN can be also called a home session management device or H-SM, and the session management device in the VPLMN can be called a visited session management device or V-SM.

And the Key Management center (KMS) is responsible for generating, managing and negotiating keys and supports lawful interception. The KMS can be deployed independently as an independent logical functional entity, or can be integrated in MM, SM, and other devices. The physical entity that performs the functions of the key management center may subsequently be referred to as a key management device. In general, the KMS is an Authentication Unit (CP-AU) in a network, and a physical entity performing a function of the Authentication Unit may be referred to as a key management device or a CP-AU. For the sake of convenience of distinction, the key management device in the HPLMN may also be referred to as a home key management device or HCP-AU, and the key management device in the VPLMN may be referred to as a visited key management device or VCP-AU.

Security Policy controller (SPCF for short): the security policy controller is used for managing security policies in a network, and may be a security policy controller in the HPLMN but not in the VPLMN, or the HPLMN and the VPLMN may each have their own security policy controller, and for convenience of distinction, the security policy controller in the HPLMN may be referred to as H-SPCF, and the security policy controller in the VPLMN may be referred to as V-SPCF; when there is no security policy controller in the VPLMN, security policy related functions may be performed by the V-SM or other network element in the VPLMN.

User Plane Gateway (English: User Plane-Gateway, UP-GW): the user plane gateway is used for connecting an operator Network and a Data Network (English: Data Network, DN), and the UE is accessed to the Network through the user plane gateway; in the embodiment of the invention, the gateway used when the UE is accessed to the HPLMN is called a home gateway HUP-GW, and the gateway used when the UE is accessed to the VPLMN is called a visited gateway VUP-GW.

Referring to fig. 2, fig. 2 is a flowchart illustrating a network roaming protection method according to an embodiment of the present invention, which includes, but is not limited to, the following steps.

Step S201: the user equipment UE sends a first session establishment request to the visiting session management equipment.

Specifically, when the UE roams to the visited network VPLMN, a session (session) setup request is sent to a session management device in the VPLMN, where the session management device in the VPLMN is a visited session management device V-SM, and the session setup request sent to the V-SM by the UE may be referred to as a first session setup request. The first session establishment request may be sent with information in an attach (attach) procedure of the UE in the VPLMN. The first session establishment request may contain information such as the first set of security requirements, an identity UEID of the user equipment, etc.

The first security requirement set comprises security requirements of the UE and security requirements of a target service, wherein the security requirements define at least one of an acceptable key algorithm, an acceptable key length and an acceptable key update period, and the target service is a service currently executed by the UE; for example, the service data of the target service needs to be encrypted by a key during transmission, and the security requirement of the target service indicates which key algorithm the key can be calculated by, what the key length of the key can be, what the key update period of the key is, and so on. For another example, the UE needs to encrypt the data in the network by using a key, so the security requirement of the UE indicates which key algorithm the key can be calculated by, what the key length of the key can be, what the key update period of the key can be, and so on. The remaining types of security requirements may be analogized.

The UEID is used to indicate to the V-SM from which device the first session establishment request came. The UE id may be information that distinguishes the UE from other devices within a certain range, for example: the UE may include a Media Access Control (MAC) address, a network Protocol (IP) address, a Mobile phone number, an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), an IP Multimedia Identity (IMPI), a Temporary Mobile Subscriber Identity (TMSI), an IP Multimedia Identity (IMPI), a global Unique Temporary UE Identity (global Unique Temporary UE Identity, GUTI), and the like.

Step S202: the visiting session management equipment receives a first session establishment request sent by User Equipment (UE).

Step S203: the visit session management equipment acquires a target security policy;

specifically, the visited session management device V-SM responds to the first session establishment request in a manner of obtaining a target security policy, where the target security policy is obtained by processing the first security requirement set and the second security requirement set according to a preset rule, the second security requirement set includes at least one of a security requirement of a home gateway and a security requirement of a visited gateway, the home gateway is a user plane gateway that needs to be used when the user accesses the home network, and the visited gateway is a user plane gateway that needs to be used when the user accesses the visited network. It is to be understood that, in addition to the first and second security requirement sets, generating the target security policy may also consider a third security requirement set, where the third security requirement set includes at least one of security requirements of a server providing the target service, security requirements of a subscription server of the UE, and security requirements of a visited gateway; the preset rule generally determines a set of information such as a key algorithm, a key length, a key update period and the like, so that each security requirement in the first security requirement set can be accepted and each security requirement in the second security requirement set can be accepted, and the determined set of information such as the key algorithm, the key length, the key update period and the like is the target security policy. The target security policy may be generated by the V-SM or generated by other network elements and sent to the V-SM.

The way for the visiting session management device V-SM to obtain the target security policy includes, but is not limited to, the following cases:

in case one, the second security requirement set includes security requirements of the visited gateway; the visit session management device obtains a target security policy, specifically: the visited session management device sends the first Security requirement set and the second Security requirement set to other devices in the visited network VPLMN, for example, to a Security Policy controller (Security Policy Function) in the VPLMN, so that the other devices in the visited network generate a target Security Policy according to the first Security requirement set and the second Security requirement set and send the target Security Policy to the visited session management device, and accordingly, the visited session management device H-SM receives the target Security Policy; possibly, the visited session management device itself may generate the target security policy according to the first security requirement set and the second security requirement set according to a preset rule; the visit session management device prestores the security requirement of the visit gateway or the visit session management device acquires the security requirement of the visit gateway from the visit gateway. That is, in this alternative, the target security policy is generated by a network element in the VPLMN of the UE.

In case two, the second security requirement set includes security requirements of the home gateway; the visit session management device obtains a target security policy, specifically: the visit session management device V-SM sends a second policy request message to a home session management device H-SM, wherein the second policy request message comprises the first security requirement set; and the visiting session management device V-SM receives a target security policy sent by the home session management device H-SM, the target security policy is generated according to the first security requirement set and a second security requirement set by triggering the device in the home network after the home session management device receives the second request message, and the device in the home network stores the second security requirement set. It is to be appreciated that the target Security Policy may be generated by the H-SM or may be generated for other devices in the HPLMN, for example, by a Security Policy controller (Security Policy Function) in the HPLMN. When generated by the H-SM, the H-SM may have pre-stored the second set of security requirements, or may have obtained the second set of security requirements from the security policy controller; when generated by the security policy controller, the H-SM needs to send the first set of security requirements to the security policy controller, which may have previously stored the second set of security requirements. That is, in this alternative, the target security policy is generated by a network element in the HPLMN and then sent to the V-SM in the VPLMN.

Optionally, when the target security policy is generated in the HPLMN, the network element in the HPLMN may send the target security policy to the network element in the VPLMN for standby; when the target security policy is generated in the VPLMN, a network element in the VPLMN may send the target security policy to a network element in the HPLMN for backup.

Step S204: and the visit session management equipment sends the target security policy to the UE.

Specifically, the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network.

In the following example, how to derive a new shared key based on the UE's basic key in the home network, the derived shared key may be referred to as a transient shared key K _ SID 1.

In an alternative, the transient shared key K _ SID1 ═ KDF (K, (at least one of UEID, slice id, network id, traffic parameters, time1, nonce1, sequence number)); that is, generating the transient shared key K _ SID1 needs to consider the basic key K of the UE in the home network, in addition to at least one of UE id, slice identity, network identity, traffic parameters, time1, nonce1 and sequence number.

In yet another alternative, the transient shared key K _ SID1 ═ KDF (K, (at least one of slice identifier, network identifier, traffic parameter, time1, nonce1, sequence number), UE ID, E2E security policy), that is, the transient shared key K _ SID1 is generated by considering the ID of the UE in the base key K, UE of the home network, the security policy E2E security policy configured in advance for defining the generation manner of K _ SID1, and considering at least one of slice identifier, network identifier, traffic parameter, time1, nonce1, and sequence number.

The "slice identifier" may be an identifier of a slice obtained by cutting a service currently performed by the UE;

the "Network identifier" may be an operator identifier (PLMN ID), an Access Network identifier (Access Network ID), a Serving Network identifier (Serving Network ID), a local area Network identifier (lan ID), a bearer ID, a quality of service identifier (QoS ID), a flow identifier (flow ID), and the like, which are associated with the HPLMN.

The "service parameters" may include information such as a sequence number SN, a timestamp, a freshness parameter (Fresh parameter1), a nonce (nonce1/random number1), and a service related identifier in the service currently carried out by the UE. The service-related identifier may include a device identifier, a session identifier (session ID), a link identifier, an application identifier (App ID), a server identifier (server ID), and the like of the key management center.

"time 1" may be the time the key is valid, the time of invalidity, the validity period, etc.

"nonce 1" is a random number, also called a freshness parameter.

It should be noted that, the parameters required when the UE generates the target shared key may be pre-parameters in the UE, or may be interacted between network elements in the HPLMN and/or the VPLMN, and finally, the parameters required by the UE are sent to the UE. In addition, the principle of deriving a new shared key according to the basic key of the UE in the visited network is the same as the principle of deriving a new shared key according to the basic key of the UE in the home network, and details are not repeated here.

Step S205: the UE receives the target security policy and generates a target shared key according to the reference shared key and the target security policy.

Specifically, regardless of which key is the reference shared key listed above, the UE may generate the target shared key K _ SID 1' based on the target security policy and the reference shared key that exists itself.

For example, the target shared key K _ SID1 'is KDF (K _ SID1, New E2E Policy Set, (UE ID, slice ID, network ID, traffic parameter, time1, nonce1, at least one of sequence numbers)), where K _ SID1 is a reference shared key and New E2E Policy Set is a target security Policy, and the formula shows that generating the target shared key K _ SID 1' needs to consider at least one of the reference shared key K _ SID1, the target security Policy New E2E Policy Set, in addition to the UE ID, the slice ID, the network ID, the traffic parameter, time1, nonce1, and the sequence number. It should be noted that, the UE needs to use other parameters in addition to the target security policy and the reference shared key for generating the target shared key, and the other parameters may be pre-stored in the UE and may also be sent to the UE by a network element in the VPLMN or a network element in the HPLMN.

It should be noted that the target shared secret key may be directly used as an encryption and integrity protection secret key (i.e., integrity protection secret key), or may be further calculated based on the target shared secret key to obtain the encryption and integrity protection secret key. For example, the encryption key K _ SID1 ' _ enc ═ KDF (K _ SID1 ', (at least one of security policy, encryption algorithm identification, ue id, and session identification)), i.e., the target shared key needs to be considered for generating the encryption key, and in addition, information such as the security policy, encryption algorithm identification, ue id, and session identification may be considered, and the encryption algorithm identification indicates the encryption algorithm used for generating the K _ SID1 ' _ enc. A complete key K _ SID1 ' _ int ═ KDF (K _ SID1 ', (at least one of Policy Set, integrity protection algorithm ID, UE ID, session ID)), that is, the target shared key needs to be considered for generating the complete key, and besides, information such as integrity protection algorithm ID, UE ID, session ID, etc. may be considered, where the integrity protection algorithm ID indicates the integrity protection algorithm needed to generate the K _ SID1 ' _ enc.

The target shared key is used for the safe transmission of end-to-end protection data between the UE and a visit gateway, and the visit gateway is a gateway for accessing the UE to the visit network. After the UE and the visited gateway use the target shared key as a shared key for protecting data secure transmission end-to-end between the UE and the visited network, if there is data transmission between the UE and the visited network, the UE and the visited network may be encrypted by the target shared key or a shared key derived based on the target shared key.

The following explains how the visited gateway VUP-GW acquires the target shared key.

In an optional scheme, after the visiting session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visit session management equipment sends a second session establishment request to the home session management equipment; correspondingly, the home session management device triggers the key management device in the home network to perform mutual authentication with the UE according to the second session establishment request to generate a basic key of the UE in the home network; the home session management device receives a reference shared key sent by a key management device in the home network, wherein the reference shared key is a basic key of the UE in the home network or a shared key derived according to the basic key of the UE in the home network; the home session management device generates a target shared key according to the reference shared key and the target security policy; the home session management device sends the target shared key to the visit session management device; the visit session management equipment receives a target shared key sent by the home session management equipment; and the visit session management equipment sends the target shared key to the visit gateway.

In another optional scenario, the manner of acquiring the target security policy by the visited session management device is "case one", and the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visited session management device receives the reference shared key sent by the key management device in the visited network, and sends the reference shared key to the home session management device, where the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network; the home session management equipment generates the target shared secret key according to the target security policy and the reference shared secret key; and the visit session management equipment receives the target shared key sent by the home session management equipment and sends the target shared key to the visit gateway.

In another optional scenario, the manner of acquiring the target security policy by the visited session management device is "case one" or "case two," and after the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visit session management equipment sends a second session establishment request to the home session management equipment; the home session management device triggers the key management device in the home network to perform mutual authentication with the UE according to the second session establishment request to generate a basic key of the UE in the home network; the key management equipment in the home network sends a reference shared key to home session management equipment, wherein the reference shared key is a basic key of the UE in the home network or a shared key derived according to the basic key of the UE in the home network; the home session management device sends the reference shared key to the visit session management device; and the visit session management equipment generates the target shared secret key according to the target security policy and the reference shared secret key and sends the target shared secret key to the visit gateway.

In another optional scenario, the manner of acquiring the target security policy by the visited session management device is "case one" or "case two," and the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visited session management device receives the reference shared key sent by the key management device in the visited network, where the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network; and the visit session management equipment generates the target shared secret key according to the target security policy and the reference shared secret key and sends the target shared secret key to the visit gateway.

In another optional scheme, after the visiting session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, the method further includes: the visited session management device sends a second session establishment request to a home session management device, the home session management device triggers a key management device in the home network to perform mutual authentication with the UE according to the second session establishment request to generate a basic key of the UE in the home network, and the second session establishment request comprises the target security policy; the key management equipment in the home network sends a reference shared key to the home session management equipment, wherein the reference shared key is a basic key of the UE in the home network or a shared key derived according to the basic key of the UE in the home network; the home session management equipment generates the target shared secret key according to the target security policy and the reference shared secret key; and the visit session management equipment receives a target shared key sent by the home session management equipment, and sends the target shared key to the visit gateway.

In another optional scenario, the manner of acquiring the target security policy by the visited session management device is "case two", and the method further includes: the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication; the visited session management device receives the reference shared key sent by the key management device in the visited network, where the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network; the visit session management equipment sends the reference shared secret key and the target security policy to the home session management equipment; the home session management device generates a target shared key according to the target security policy and the reference shared key, and the visited session management device receives the target shared key sent by the home session management device and sends the target shared key to the visited gateway.

It should be noted that, when the target shared key is generated by a network element in the visited network VPLMN, the visited session management device V-SM may further send the target shared key to the home session management device H-SM in the home network HPLMN, so that the H-SM may analyze data transmitted between the UE and the V-SM based on the target shared key, thereby implementing monitoring on the UE.

The embodiment of the invention also covers a Local breakout routing scene, which is specifically a gateway UP-GW roaming from a user plane gateway HUP-GW of the HPLMN to the Local network, and then directly acquires network data from the Local network.

In order to better understand the aspects of the embodiments of the present invention, several more specific aspects are provided below with reference to fig. 3A-3G to further illustrate the embodiment shown in fig. 2.

Referring to fig. 3A, fig. 3A is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network. The process is as follows:

step S3101: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE (which may also be referred to as "security capabilities of the UE"), security requirements of a target service currently executed by the UE, and the like.

Step S3102: the V-SM receives and parses the first session establishment request to obtain information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to information such as the UE id, so as to determine which SM in the HPLMN needs to interact with subsequently, where the determined SM is H-SM.

Step S3103: the V-SM sends an authentication request message to the VCP-AU.

Step S3104: the VCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the VCP-AU and the UE need to use subscription information between the UE and an operator to which the UE belongs for mutual authentication, and in one scheme, the request message carries the subscription information; in another scheme, the request message carries the UE id of the UE, the VCP-AU determines a home network of the UE id according to the UE id, and then obtains the subscription information from a network element (e.g., a home network subscription server, such as an Authentication, Authorization, and Accounting (AAA)) in the home network.

Step S3105: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3106: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as a reference shared key, a first security requirement set of the UE, the UE ID of the UE and the like, and possibly other security strategies. The reference shared key includes, but is not limited to, the following:

the first condition is as follows: the reference shared key is the user plane basic key.

Case two: if the reference shared key is the session key generated based on the user plane basic key, the VCP-AU generates the user plane basic key and then regenerates the session key based on the user plane basic key.

Step S3107: and the H-SM receives the second session establishment request and analyzes the information in the second session key, then the H-SM sends an update request to a preset security policy controller H-SPCF, correspondingly, the security policy controller H-SPCF responds to the update request, and a first security requirement set in the second session establishment request and a second security requirement set stored in the security policy controller H-SPCF are processed through a preset rule to obtain a target security policy. It is also possible that the H-SM itself processes the first and second sets of security requirements according to preset rules to obtain the target security policy, and the H-SM itself stores the second set of security requirements or requests the second set of security requirements from the security policy controller, and the second security requirements may include security requirements of network elements in the HPLMN, for example, security requirements of the HCP-AU, HUP-GW.

Step S3108: and the H-SM generates a shared key for protecting data security transmission of the UE end to end with the VUP-GW in the visited network according to the target security policy and the reference shared key, and may be referred to as a target shared key for convenience of description.

Step S3109: the H-SM sends the target shared key to a user plane gateway, HUP-GW, in the HPLMN, and accordingly, the HUP-GW receives the target shared key, so that the HUP-GW can subsequently monitor the session encrypted by the UE through the target shared key based on the target shared key.

Step S3110: the H-SM sends the target shared key and the target security policy to the V-SM.

Step S3111: and the V-SM receives the target shared key and the target security policy and sends the target shared key to a user plane gateway (VUP-GW) in the VPLMN, and can also send the target shared key to the VCP-AU for storage.

Step S3112: the V-SM sends the target security policy to the UE.

Step S3113: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

It should be noted that, each step may be executed according to the above described sequence, or may not be executed completely according to the described sequence, as long as there is no problem in logic.

After the above operations are performed, the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN, so that the UE and the VUP-GW can protect the secure transmission of data end to end based on the target shared key, and meanwhile, the HUP-GW can monitor the data transmitted between the UE and the VUP-GW based on the target shared key.

Referring to fig. 3B, fig. 3B is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3201: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3202: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3203: the V-SM sends an authentication request message to the VCP-AU.

Step S3204: the VCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the VCP-AU and the UE need to use subscription information between the UE and an operator to which the UE belongs for mutual authentication, and in one scheme, the request message carries the subscription information; in another scheme, the request message carries a UE id of the UE, and the VCP-AU determines a home network of the UE id according to the UE id, and then acquires the subscription information from a network element in the home network.

Step S3205: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3206: the V-SM obtains a second security requirement set, where the second security requirement set includes security requirements of the VUP-GW, and the V-SM may obtain the security requirements of the VUP-GW from the VUP-GW and may request the security requirements of the VUP-GW from other devices storing the security requirements of the VUP-GW. Further, the V-SM can also acquire the default security requirement of the UE in the subscription server from the H-SM.

Step S3207: the V-SM processes the first security requirement set and the second security requirement set according to a preset rule to obtain a new security policy, and may refer to other security policies (for example, the default security requirement of the UE in the subscription server) for generating the new security policy, and for convenience of description, the new security policy may be referred to as a target security policy. Or, the V-SM sends the information of the first security requirement set, the second security requirement set, and the like to a security policy controller V-SPCF configured in advance in the visited network VPLMN and used for managing security policies, and the security policy controller V-SPCF obtains a target security policy based on the information of the first security requirement set, the second security requirement set, and the like.

Step S3208: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as a reference shared key, a target security policy, and the UE ID of the UE. The reference shared key includes, but is not limited to, the following:

Step S3209: and the H-SM generates a shared key for protecting data security transmission of the UE end to end with the VUP-GW in the visited network according to the target security policy and the reference shared key, and may be referred to as a target shared key for convenience of description.

Step S3210: the H-SM sends the target shared key to a user plane gateway, HUP-GW, in the HPLMN, and accordingly, the HUP-GW receives the target shared key, so that the HUP-GW can subsequently monitor the session encrypted by the UE through the target shared key based on the target shared key.

Step S3211: the H-SM sends the target shared key to the V-SM.

Step S3212: and the V-SM receives the target shared key and the target security policy and sends the target shared key to a user plane gateway (VUP-GW) in the VPLMN, and can also send the target shared key to the VCP-AU for storage.

Step S3213: the V-SM sends the target security policy to the UE.

Step S3214: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

Referring to fig. 3C, fig. 3C is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3301: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set of the UE, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3302: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3303: the V-SM sends an authentication request message to the VCP-AU.

Step S3304: the VCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the VCP-AU and the UE need to use subscription information between the UE and an operator to which the UE belongs for mutual authentication, and in one scheme, the request message carries the subscription information; in another scheme, the request message carries a UE id of the UE, and the VCP-AU determines a home network of the UE id according to the UE id, and then acquires the subscription information from a network element in the home network.

Step S3305: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3306: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as the UE ID of the UE.

Step S3307: the V-SM obtains a second security requirement set, where the second security requirement set includes security requirements of the VUP-GW, and the V-SM may obtain the security requirements of the VUP-GW from the VUP-GW and may request the security requirements of the VUP-GW from other devices storing the security requirements of the VUP-GW. Further, the V-SM can also acquire the default security requirement of the UE in the subscription server from the H-SM.

Step S3308: the V-SM processes the first security requirement set and the second security requirement set according to a preset rule to obtain a new security policy, and may refer to other security policies (for example, the default security requirement of the UE in the subscription server) for generating the new security policy, and for convenience of description, the new security policy may be referred to as a target security policy. Or, the V-SM sends the information of the first security requirement set, the second security requirement set, and the like to a security policy controller V-SPCF configured in advance in the visited network VPLMN and used for managing security policies, and the security policy controller V-SPCF obtains a target security policy based on the information of the first security requirement set, the second security requirement set, and the like.

Step S3309: and the V-SM generates a shared key for protecting the data security transmission of the UE in the visited network end to end with the VUP-GW according to the target security policy and the reference shared key, and the shared key can be called as the target shared key for convenience of description. Generating the target shared key may also require reference to other information, such as session identification of the session currently to be established, UE id, etc., which the UE may send to the UE if the UE does not have the information to be referred to itself. The reference shared key includes, but is not limited to, the following:

Step S3310: and the V-SM sends the target shared key to a user plane gateway VUP-GW in the VPLMN and can also send the target shared key to the VCP-AU for storage.

Step S3311: the V-SM transmits the target security policy and/or the target shared key to the UE.

Step S3312: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

Optionally, the V-SM further sends the target shared key to the H-SM, and accordingly, the H-SM receives the target shared key and sends the target shared key to a user plane gateway, HUP-GW, in the HPLMN, and accordingly, the HUP-GW receives the target shared key, so that the HUP-GW can subsequently monitor the session encrypted by the UE through the target shared key based on the target shared key.

Referring to fig. 3D, fig. 3D is a schematic flowchart illustrating another network roaming protection method according to an embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3401: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set of the UE, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3402: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3403: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3404: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as the first security requirement set of the UE, the UE ID of the UE and the like, and possibly other security strategies.

Step S3405: and the H-SM receives the second session establishment request and analyzes the information in the second session key, then sends an update request to a preset security policy controller, and correspondingly, the security policy controller responds to the update request and processes the first security requirement set in the second session establishment request and a second security requirement set stored in the H-SM according to preset rules to obtain a target security policy. It is also possible that the H-SM itself processes the first set of security requirements and the second set of security requirements according to preset rules to obtain the target security policy, the H-SM itself stores the second set of security requirements or requests the second set of security requirements from the security policy controller, and the second security requirements may include security requirements of network elements in the HPLMN, for example, security requirements of the HCP-AU.

Step S3406: the H-SM sends an authentication request message to the HCP-AU.

Step S3407: the HCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the HCP-AU may store the subscription information, and the HCP-AU may also acquire the subscription information from the network element storing the subscription information in the HPLMN of the UE. It can be understood that, since the UE has previously accessed into the HPLMN, and thus the UE and the network element in the HPLMN have already been authenticated, the basic key used by the embodiment of the present invention and the key derived based on the basic key can also be generated in the HPLMN before for the UE.

Step S3408: and the H-SM generates a shared key for protecting data security transmission of the UE end to end with the VUP-GW in the visited network according to the target security policy and the reference shared key, and may be referred to as a target shared key for convenience of description. It should be noted that the reference shared key includes, but is not limited to, the following cases:

Case two: if the session key is generated based on the user plane basic key, the HCP-AU generates the user plane basic key and then generates the session key based on the user plane basic key.

Step S3409: the H-SM sends the target shared key to a user plane gateway, HUP-GW, in the HPLMN, and accordingly, the HUP-GW receives the target shared key, so that the HUP-GW can subsequently monitor the session encrypted by the UE through the target shared key based on the target shared key.

Step S3410: the H-SM sends the target shared key and the target security policy to the V-SM.

Step S3411: and the V-SM receives the target shared key and the target security policy and sends the target shared key to a user plane gateway (VUP-GW) in the VPLMN, and can also send the target shared key to the VCP-AU for storage.

Step S3412: the V-SM sends the target security policy to the UE.

Step S3413: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

Referring to fig. 3E, fig. 3E is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3501: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set of the UE, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3502: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3503: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3504: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as the first security requirement set of the UE, the UE ID of the UE and the like, and possibly other security strategies.

Step S3505: and the H-SM receives the second session establishment request and analyzes the information in the second session key, then sends an update request to a preset security policy controller, and correspondingly, the security policy controller responds to the update request and processes the first security requirement set in the second session establishment request and a second security requirement set stored in the H-SM according to preset rules to obtain a target security policy. It is also possible that the H-SM itself processes the first and second sets of security requirements according to preset rules to obtain the target security policy, and the H-SM itself stores the second set of security requirements or requests the second set of security requirements from the security policy controller, and the second set of security requirements may include security requirements of network elements in the HPLMN, for example, security requirements of the HCP-AU, HUP-GW.

Step S3506: the H-SM sends an authentication request message to the HCP-AU.

Step S3507: the HCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the HCP-AU may store the subscription information, and the HCP-AU may also acquire the subscription information from the network element storing the subscription information in the HPLMN of the UE. It can be understood that, since the UE has previously accessed into the HPLMN, and thus the UE and the network element in the HPLMN have already been authenticated, the basic key used by the embodiment of the present invention and the key derived based on the basic key can also be generated in the HPLMN before for the UE.

Step S3508: the H-SM sends the target security policy and the reference shared secret key to the V-SM; it should be noted that the reference shared key includes, but is not limited to, the following cases:

Step S3509: the V-SM receives the target security policy and the reference shared key, and generates a shared key for protecting data security transmission of the UE end to end with the VUP-GW in the visited network according to the target security policy and the reference shared key, which may be referred to as a target shared key for convenience of description.

Step S3510: and the V-SM sends the target shared key to a user plane gateway VUP-GW in the VPLMN and can also send the target shared key to the VCP-AU for storage.

Step S3511: the V-SM sends the target security policy to the UE.

Step S3512: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

Referring to fig. 3F, fig. 3F is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3601: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set of the UE, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3602: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3603: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3604: the V-SM obtains a second security requirement set, where the second security requirement set includes security requirements of the VUP-GW, and the V-SM may obtain the security requirements of the VUP-GW from the VUP-GW and may request the security requirements of the VUP-GW from other devices storing the security requirements of the VUP-GW. Further, the V-SM can also acquire the default security requirement of the UE in the subscription server from the H-SM.

Step S3605: the V-SM processes the first security requirement set and the second security requirement set according to a preset rule to obtain a new security policy, and may refer to other security policies (for example, the default security requirement of the UE in the subscription server) for generating the new security policy, and for convenience of description, the new security policy may be referred to as a target security policy. Or, the V-SM sends the information of the first security requirement set, the second security requirement set, and the like to a security policy controller V-SPCF configured in advance in the visited network VPLMN and used for managing security policies, and the security policy controller V-SPCF obtains a target security policy based on the information of the first security requirement set, the second security requirement set, and the like.

Step S3606: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises the target security policy, the UE ID of the UE and other information.

Step S3607: the H-SM sends an authentication request message to the HCP-AU.

Step S3608: the HCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the HCP-AU and the UE need to use subscription information between the UE and an operator to which the UE belongs for mutual authentication, and may store the subscription information in the HCP-AU or acquire the subscription information from other network elements in the HPLMN. It can be understood that, since the UE has previously accessed into the HPLMN, and thus the UE and the network element in the HPLMN have already been authenticated, the basic key used by the embodiment of the present invention and the key derived based on the basic key can also be generated in the HPLMN before for the UE.

Step S3609: and the H-SM generates a shared key for protecting the data security transmission of the UE in the visited network end to end with the VUP-GW according to the target security policy and the reference shared key, and the shared key can be called as the target shared key for convenience of description. The reference shared key includes, but is not limited to, the following:

Step S3610: the H-SM sends the target shared key to a user plane gateway, HUP-GW, in the HPLMN, and accordingly, the HUP-GW receives the target shared key, so that the HUP-GW can subsequently monitor the session encrypted by the UE through the target shared key based on the target shared key.

Step S3611: the H-SM sends the target shared key and the target security policy to the V-SM.

Step S3612: and the V-SM receives the target shared key and the target security policy and sends the target shared key to a user plane gateway (VUP-GW) in the VPLMN, and can also send the target shared key to the VCP-AU for storage.

Step S3613: the V-SM sends the target security policy to the UE.

Step S3614: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

Referring to fig. 3G, fig. 3G is a schematic flowchart illustrating a network roaming protection method according to another embodiment of the present invention; the related network elements comprise user equipment UE, home session management equipment H-SM, visited session management equipment V-SM, key management equipment HCP-AU in a home network, key management equipment VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy controller H-SPCF of the home network and a security policy controller V-SPCF of the visited network; the process is as follows:

step S3701: UE sends a first session establishment request to V-SM; the first session establishment request may carry information such as a first security requirement set of the UE, an identity UE id of the UE, and the like, where the first security requirement set may include security requirements of the UE, security requirements of a target service currently executed by the UE, and the like.

Step S3702: the V-SM receives and parses the first session establishment request for information in the first session establishment request, and then the V-SM may determine a home network HPLMN of the UE according to the UE id, thereby determining which SM in the HPLMN to interact with subsequently, the determined SM being H-SM.

Step S3703: the V-SM selects a proper user plane path, namely selects a user plane gateway UP-GW of the UE in a visited network VPLMN for the UE, and the UP-GW selected for the UE is a VUP-GW.

Step S3704: the V-SM obtains a second security requirement set, where the second security requirement set includes security requirements of the VUP-GW, and the V-SM may obtain the security requirements of the VUP-GW from the VUP-GW and may request the security requirements of the VUP-GW from other devices storing the security requirements of the VUP-GW. Further, the V-SM can also acquire the default security requirement of the UE in the subscription server from the H-SM.

Step S3705: the V-SM processes the first security requirement set and the second security requirement set according to a preset rule to obtain a new security policy, and may refer to other security policies (for example, the default security requirement of the UE in the subscription server) for generating the new security policy, and for convenience of description, the new security policy may be referred to as a target security policy. Or, the V-SM sends the information of the first security requirement set, the second security requirement set, and the like to a security policy controller V-SPCF configured in advance in the visited network VPLMN and used for managing security policies, and the security policy controller V-SPCF obtains a target security policy based on the information of the first security requirement set, the second security requirement set, and the like.

Step S3706: and the V-SM sends a second session establishment request to the H-SM, wherein the second session establishment request comprises information such as the UE ID of the UE.

Step S3707: the H-SM sends an authentication request message to the HCP-AU in accordance with the second session establishment request.

Step S3708: the HCP-AU receives the Authentication request message and performs bidirectional Authentication with the UE to obtain a user plane basic Key, and the network Authentication mode can be Authentication and Key Agreement protocol (AKA) of a third-generation mobile communication network, General Bootstrapping Architecture (GBA), kerberos protocol and the like; the HCP-AU and the UE need to use subscription information between the UE and an operator to which the UE belongs for mutual authentication, and may store the subscription information in the HCP-AU or acquire the subscription information from other network elements in the HPLMN. It can be understood that, since the UE has previously accessed into the HPLMN, and thus the UE and the network element in the HPLMN have already been authenticated, the basic key used by the embodiment of the present invention and the key derived based on the basic key can also be generated in the HPLMN before for the UE.

Step S3709: the HCP-AU sends the reference shared key to the H-SM, which in turn receives the reference shared key and forwards the reference shared key to the V-SM.

Step S3710: and the V-SM generates a shared key for protecting the data security transmission of the UE in the visited network end to end with the VUP-GW according to the target security policy and the reference shared key, and the shared key can be called as the target shared key for convenience of description. Generating the target shared key may also require reference to other information, such as session identification of the session currently to be established, UE id, etc., which the UE may send to the UE if the UE does not have the information to be referred to itself. The reference shared key includes, but is not limited to, the following:

Step S3711: and the V-SM sends the target shared key to a user plane gateway VUP-GW in the VPLMN and can also send the target shared key to the VCP-AU for storage.

Step S3712: the V-SM sends the target security policy to the UE.

Step S3713: the UE receives the target security policy and the reference shared key to generate the target shared key; it should be noted that, generating the target shared key may also need to refer to other information, such as a session identifier of a session that needs to be currently established, a UE id, etc., and if the information that needs to be referred to is not available in the UE itself, the information may be sent to the UE by the V-SM.

In the foregoing method embodiments, when the UE roams to a visited network, a target security policy is generated by a network element in a home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is further processed by referring to a rule defined by the target security policy to generate a target shared key, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

While the method of the embodiments of the present invention has been described in detail above, to facilitate a better understanding of the above-described aspects of the embodiments of the present invention, the following provides a corresponding apparatus of the embodiments of the present invention.

Referring to fig. 4, fig. 4 is a schematic structural diagram of a visiting session management apparatus 40 according to an embodiment of the present invention, where the visiting session management apparatus includes a first receiving unit 401, an obtaining unit 402, and a first sending unit 403, where details of each unit are as follows:

the first receiving unit 401 is configured to receive a first session establishment request that includes a first security requirement set and is sent by a user equipment UE, where the first security requirement set includes security requirements of the UE and security requirements of a target service, the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device 40 is a device that manages a session in a visited network of the UE;

the obtaining unit 402 is configured to obtain a target security policy, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, where the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE;

a first sending unit 403, configured to send the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway.

In an alternative arrangement, the second set of security requirements comprises security requirements of the visited gateway; the obtaining unit 402 is specifically configured to send the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device 40, or the visited session management device 40 generates the target security policy according to the first security requirement set and the second security requirement set; the visited session managing device 40 has pre-stored the security requirements of the visited gateway or the visited session managing device 40 has obtained the security requirements of the visited gateway from the visited gateway.

In yet another alternative, the second set of security requirements includes security requirements of the home gateway; the obtaining unit 402 is specifically configured to:

sending a second policy request message to a home session management device, where the second policy request message includes a first security requirement set, and the home session management device is a device for managing a session in a home network of the UE;

and receiving a target security policy sent by the home session management device, where the target security policy is generated by triggering the device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

In yet another alternative, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management apparatus 40 further includes:

a second sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit 401 receives a first session establishment request containing a first security requirement set sent by a user equipment UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

a second receiving unit, configured to receive a target shared key sent by the home session management device, where the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by a key management device in the home network;

and a third sending unit, configured to send the target shared key to the visited gateway.

In yet another alternative, when the reference shared key is a basic key of the UE in the visited network or a shared key derived from the basic key of the UE in the visited network, the visited session management apparatus 40 further includes:

a first triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication;

a third receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key to the home session management device;

a fourth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

a fourth sending unit, configured to send a second session establishment request to the home session management device after the first receiving unit 401 receives the first session establishment request containing the first security requirement set sent by the UE, so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

a fifth receiving unit configured to receive the reference shared key transmitted by the key management apparatus in the home network and forwarded by the home session management apparatus;

and the first generating unit is used for generating the target shared key according to the target security policy and the reference shared key and sending the target shared key to the visit gateway.

a second triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication;

a sixth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network;

and the second generating unit is used for generating the target shared key according to the target security policy and the reference shared key and sending the target shared key to the visit gateway.

a fifth sending unit, configured to send a second session establishment request to the home session management device after the first receiving unit 401 receives the first session establishment request containing the first security requirement set sent by the UE, so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy;

a seventh receiving unit, configured to receive a target shared key sent by the home session management device, where the target shared key is generated by the home session management device according to the target security policy and the reference shared key, and the reference shared key is sent by a key management device in the home network;

and a sixth sending unit, configured to send the target shared key to the visited gateway.

a third triggering unit, configured to trigger a key management device in the visited network to perform mutual authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for mutual authentication;

an eighth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device;

a ninth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

In yet another alternative, the target security policy is obtained by processing the first security requirement set, the second security requirement set, and a third security requirement set according to a preset rule, where the third security requirement set includes at least one of security requirements of a server providing the target service and security requirements of a subscription server of the UE.

It should be noted that the specific implementation of each unit may also correspond to the corresponding description of the method embodiment shown in fig. 2.

In the visited session management apparatus 40 depicted in fig. 4, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by further processing the reference shared key with reference to a rule defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

Referring to fig. 5, fig. 5 is a schematic structural diagram of a user equipment 50 according to an embodiment of the present invention, where the user equipment 50 includes a sending unit 501, a receiving unit 502, a generating unit 503, and a transmitting unit 504, where details of each unit are described below.

The sending unit 501 is configured to send, to a visited session management device, a first session establishment request including a first security requirement set, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

the receiving unit 502 is configured to receive a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of an home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE;

the generating unit 503 is configured to generate a target shared key based on the reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network;

the transmission unit 504 is configured to protect secure transmission of data between the UE and the visited gateway through the target shared key.

In an optional scheme, the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, and the user equipment 50 further includes:

a first authentication unit, configured to perform mutual authentication with the key management apparatus in the home network to generate a basic key of the UE in the home network before the generation unit 503 generates a target shared key based on a reference shared key according to a rule defined by the target security policy.

In yet another alternative, the reference shared key is a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the user equipment 50 further comprises:

a second authenticating unit, configured to perform bidirectional authentication with the key management device in the visited network to generate a basic key of the UE in the visited network before the generating unit 503 generates a target shared key based on a reference shared key according to a rule defined by the target security policy, where the key management device obtains subscription information of the UE from a network element in the home network in advance for bidirectional authentication.

In the user equipment 50 depicted in fig. 5, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by further processing the reference shared key with reference to rules defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

Referring to fig. 6, fig. 6 is a view of another visiting session managing apparatus 60 according to an embodiment of the present invention, where the visiting session managing apparatus 60 includes a processor 601, a memory 602, and a transceiver 603, and the processor 601, the memory 602, and the transceiver 603 are connected to each other through a bus.

The memory 602 includes, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), erasable programmable read only memory (EPROM or flash memory), or portable read only memory (CD-ROM), the memory 602 being used for associated instructions and data.

The transceiver 603 may include a receiver and a transmitter, e.g., a radio frequency module.

The processor 601 may be one or more Central Processing Units (CPUs), and in the case that the processor 601 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.

The processor 601 in the visited session management device 60 is configured to read the program code stored in the memory 602 and perform the following operations:

receiving, by the transceiver 603, a first session establishment request including a first security requirement set sent by a UE, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

sending the target security policy to the UE through the transceiver 603, so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and the key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and the key management equipment in the visited network; the target shared key is used for secure transmission of end-to-end protection data between the UE and the visited gateway.

In yet another alternative, the second set of security requirements includes security requirements of the visited gateway; the processor 601 obtains a target security policy, specifically:

In yet another alternative, the second set of security requirements includes security requirements of the home gateway; the processor 601 obtains a target security policy, specifically:

sending a second policy request message to a home session management device through the transceiver 603, where the second policy request message includes a first security requirement set, and the home session management device is a device that manages a session in a home network of the UE;

receiving, by the transceiver 603, a target security policy sent by the home session management device, where the target security policy is generated by the device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

In yet another alternative, when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, after the processor 601 receives a first session establishment request containing a first security requirement set sent by a UE through the transceiver 603, the processor 601 is further configured to:

sending a second session establishment request to the home session management device through the transceiver 603, so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

receiving, by the transceiver 603, a target shared key sent by the home session management device, the target shared key being generated by the home session management device according to the target security policy and the reference shared key, the reference shared key being sent by a key management device in the home network;

the target shared key is sent to the visited gateway through the transceiver 603.

In yet another alternative, when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the processor 601 is further configured to:

triggering a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, wherein the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication;

receiving, by the transceiver 603, the reference shared key sent by the key management device in the visited network, and sending the reference shared key to the home session management device;

receiving the target shared key sent by the home session management device through the transceiver 603, and sending the target shared key to the visited gateway; the target shared key is generated by the home session management device according to the target security policy and the reference shared key.

receiving, by the transceiver 603, the reference shared key forwarded by the home session management device and sent by the key management device in the home network;

and generating the target shared secret key according to the target security policy and the reference shared secret key, and sending the target shared secret key to the visit gateway.

receiving, by the transceiver 603, the reference shared key sent by the key management device in the visited network;

sending a second session establishment request to the home session management device through the transceiver 603, so that the home session management device triggers the key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy;

receiving, by the transceiver 603, the reference shared key sent by the key management device in the visited network, and sending the reference shared key and the target security policy to the home session management device;

It should be noted that the specific implementation of each operation may also correspond to the corresponding description of the method embodiment shown in fig. 2.

In the visited session management device 60 described in fig. 6, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by further processing the reference shared key with reference to a rule defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

Referring to fig. 7, fig. 7 is a user equipment 70 according to an embodiment of the present invention, where the user equipment 70 includes a processor 701, a memory 702, and a transceiver 703, and the processor 701, the memory 702, and the transceiver 703 are connected to each other through a bus.

Memory 702 includes, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), erasable programmable read only memory (EPROM or flash memory), or portable read only memory (CD-ROM), with the memory 702 being used for associated instructions and data.

The transceiver 703 may include a receiver and a transmitter, such as a radio frequency module.

The processor 701 may be one or more Central Processing Units (CPUs), and in the case that the processor 701 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.

The processor 701 in the user equipment 70 is configured to read the program code stored in the memory 702 and perform the following operations:

sending a first session establishment request including a first security requirement set to a visited session management device through the transceiver 703, where the first security requirement set includes security requirements of the UE and security requirements of a target service, the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

receiving, by the transceiver 703, a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, where the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of an affiliation gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the affiliation gateway is a user plane gateway used when the UE accesses the affiliation network of the UE;

In an alternative scheme, the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network; before the processor 701 generates the target shared key based on the reference shared key according to the rule defined by the target security policy, the processor 701 is further configured to:

and performing bidirectional authentication with the key management equipment in the home network to generate a basic key of the UE in the home network.

In yet another alternative, the reference shared key is a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; before the processor 701 generates the target shared key based on the reference shared key according to the rule defined by the target security policy, the processor 701 is further configured to:

and performing bidirectional authentication with key management equipment in the visited network to generate a basic key of the UE in the visited network, wherein the key management equipment acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication.

In the user equipment 70 depicted in fig. 7, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by further processing the reference shared key with reference to rules defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

While the method and apparatus of the embodiments of the present invention have been described in detail above, in order to better implement the above-described aspects of the embodiments of the present invention, the following provides a related system of the embodiments of the present invention.

Referring to fig. 8, fig. 8 is a schematic structural diagram of a network roaming protection system 80 according to an embodiment of the present invention, where the system 80 includes a visited session management apparatus 801 and a user equipment 802, where the visited session management apparatus 801 may be the visited session management apparatus 40 shown in fig. 4 or the visited session management apparatus 60 shown in fig. 6; the user equipment 802 may be the user equipment 50 shown in fig. 5 or the user equipment 70 shown in fig. 7.

In the system 80 depicted in fig. 8, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by processing the reference shared key according to a rule defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

In summary, by implementing the embodiments of the present invention, when the UE roams to the visited network, a target security policy is generated by a network element in the home network or the visited network, where the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network, and a reference shared key is generated by further processing the reference shared key with reference to a rule defined by the target security policy, where the reference shared key is a key generated or further derived by bidirectional authentication of the UE in the home network or the visited network; and finally, the UE and the visiting gateway in the visiting network use the target shared key as a shared key for protecting data safe transmission between the UE and the visiting gateway end to end, so that the UE can still safely transmit data after the network roams.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. And the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

The above embodiments are only for illustrating the preferred embodiments of the present invention, and the scope of the present invention should not be limited thereby, and those skilled in the art can understand that all or part of the processes of the above embodiments can be implemented and equivalents thereof can be made according to the claims of the present invention, and still fall within the scope of the invention.

Claims

1. A method for network roaming protection, comprising:

receiving, by a visited session management device, a first session establishment request including a first security requirement set sent by a user equipment UE, where the first security requirement set includes security requirements of the UE and security requirements of a target service, where the security requirements define at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service currently executed by the UE, and the visited session management device is a device that manages a session in a visited network of the UE;

the visited session management device obtains a target security policy, wherein the target security policy is obtained by processing the first security requirement set and a second security requirement set through a preset rule, the second security requirement set comprises security requirements of a visited gateway and security requirements of an attribution gateway, the visited gateway is a user plane gateway used when the UE is accessed to the visited network, and the attribution gateway is a user plane gateway used when the UE is accessed to the attribution network;

the visit session management equipment sends the target security policy to the UE so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and key management equipment in the visited network; the target shared key is used for the secure transmission of end-to-end protection data between the UE and the visit gateway.

2. The method of claim 1, wherein the second set of security requirements comprises security requirements of the visited gateway; the visiting session management device acquires a target security policy, including:

the visited session management device sends the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device, or the visited session management device generates the target security policy according to the first security requirement set and the second security requirement set; the visit session management device prestores the security requirement of the visit gateway or the visit session management device acquires the security requirement of the visit gateway from the visit gateway.

3. The method of claim 1, wherein the second set of security requirements includes security requirements of the home gateway; the visiting session management device acquires a target security policy, including:

the visited session management device sends a second policy request message to a home session management device, where the second policy request message includes a first security requirement set, and the home session management device is a device for managing a session in a home network of the UE;

and the visited session management device receives a target security policy sent by the home session management device, wherein the target security policy is generated by triggering the device in the home network according to the first security requirement set and the second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

4. The method of claim 3, wherein when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management device receives a first session establishment request containing a first security requirement set sent by a UE, and the method further comprises:

the visited session management equipment sends a second session establishment request to home session management equipment so that the home session management equipment triggers key management equipment in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

the visited session management equipment receives a target shared key sent by the home session management equipment, the target shared key is generated by the home session management equipment according to the target security policy and the reference shared key, and the reference shared key is sent by key management equipment in the home network;

and the visit session management equipment sends the target shared key to the visit gateway.

5. The method of claim 3, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the method further comprises:

the visited session management device triggers a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, and the key management device acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication;

the visit session management equipment receives the reference shared key sent by the key management equipment in the visit network and sends the reference shared key to the home session management equipment;

the visit session management equipment receives the target shared key sent by the home session management equipment and sends the target shared key to the visit gateway; the target shared secret is generated by the home session management device according to the target security policy and the reference shared secret.

6. The method according to claim 2 or 3, wherein when the reference shared key is the UE base key in the home network or a shared key derived from the UE base key in the home network, the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, and the method further comprises:

the visited session management equipment receives the reference shared key forwarded by the home session management equipment and sent by the key management equipment in the home network;

and the visit session management equipment generates the target shared secret key according to the target security policy and the reference shared secret key and sends the target shared secret key to the visit gateway.

7. The method of claim 2 or 3, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the method further comprises:

the visit session management equipment receives the reference shared key sent by the key management equipment in the visit network;

8. The method of claim 2, wherein when the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, the visited session management device receives a first session establishment request containing a first security requirement set sent by a user equipment UE, and the method further comprises:

the visited session management equipment sends a second session establishment request to home session management equipment so that the home session management equipment triggers key management equipment in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy;

9. The method of claim 2, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the method further comprises:

the visit session management equipment receives the reference shared key sent by the key management equipment in the visit network and sends the reference shared key and the target security policy to the home session management equipment;

10. The method according to any of claims 1 to 3, wherein the target security policy is obtained by processing the first security requirement set, the second security requirement set, and a third security requirement set according to a preset rule, and the third security requirement set includes at least one of a security requirement of a server providing the target service and a security requirement of a subscription server of the UE.

11. A method for network roaming protection, comprising:

the UE receives a target security policy sent by the visited session management equipment, wherein the target security policy is obtained by processing the first security requirement set and a second security requirement set through a preset rule, the second security requirement set comprises security requirements of a visited gateway and security requirements of an attribution gateway, the visited gateway is a user plane gateway used when the UE is accessed to the visited network, and the attribution gateway is a user plane gateway used when the UE is accessed to the attribution network;

the UE generates a target shared secret key based on a reference shared secret key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and key management equipment in the visited network;

12. The method according to claim 11, wherein the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network; before the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy, the method further includes:

and the UE performs bidirectional authentication with key management equipment in the home network to generate a basic key of the UE in the home network.

13. The method of claim 11, wherein the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network; before the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy, the method further includes:

and the UE and key management equipment in the visited network perform bidirectional authentication to generate a basic key of the UE in the visited network, and the key management equipment acquires subscription information of the UE from a network element in the home network in advance for bidirectional authentication.

14. A visited session management device, comprising:

an obtaining unit, configured to obtain a target security policy, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes a security requirement of a visited gateway and a security requirement of an affiliation gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the affiliation gateway is a user plane gateway used when the UE accesses the own affiliation network;

a first sending unit, configured to send the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and key management equipment in the visited network; the target shared key is used for the secure transmission of end-to-end protection data between the UE and the visit gateway.

15. The visited session management device of claim 14, wherein the second set of security requirements comprises security requirements of the visited gateway; the obtaining unit is specifically configured to send the first security requirement set and the second security requirement set to other devices in the visited network, so that the other devices in the visited network generate a target security policy according to the first security requirement set and the second security requirement set and send the target security policy to the visited session management device, or the visited session management device generates the target security policy according to the first security requirement set and the second security requirement set; the visit session management device prestores the security requirement of the visit gateway or the visit session management device acquires the security requirement of the visit gateway from the visit gateway.

16. The visited session management device of claim 14, wherein the second set of security requirements comprises security requirements of the home gateway; the obtaining unit is specifically configured to:

and receiving a target security policy sent by the home session management device, wherein the target security policy is generated by triggering the device in the home network according to the first security requirement set and a second security requirement set after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.

17. The visited session management device of claim 16, wherein when the reference shared key is a base key of the UE in the home network or a shared key derived from the base key of the UE in the home network, the visited session management device further comprises:

a second sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives a first session establishment request that includes a first security requirement set and is sent by a user equipment UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

18. The visited session management device of claim 16, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the visited session management device further comprises:

a fourth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared secret is generated by the home session management device according to the target security policy and the reference shared secret.

19. The visited session management device of claim 15 or 16, wherein when the reference shared key is a base key of the UE in the home network or a shared key derived from the base key of the UE in the home network, the visited session management device further comprises:

a fourth sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives a first session establishment request that includes a first security requirement set and is sent by a user equipment UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network;

a fifth receiving unit, configured to receive the reference shared key forwarded by the home session management device and sent by the key management device in the home network;

20. The visited session management device of claim 15 or 16, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the visited session management device further comprises:

a second triggering unit, configured to trigger a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for bidirectional authentication;

21. The visited session management device of claim 15, wherein when the reference shared key is a base key of the UE in the home network or a shared key derived from the base key of the UE in the home network, the visited session management device further comprises:

a fifth sending unit, configured to send a second session establishment request to a home session management device after the first receiving unit receives a first session establishment request that includes a first security requirement set and is sent by a user equipment UE, so that the home session management device triggers a key management device in the home network to perform mutual authentication with the UE to generate a basic key of the UE in the home network; the second session establishment request includes the target security policy;

22. The visited session management device of claim 15, wherein when the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network, the visited session management device further comprises:

a third triggering unit, configured to trigger a key management device in the visited network to perform bidirectional authentication with the UE to generate a basic key of the UE in the visited network, where the key management device obtains subscription information of the UE from a network element in the home network in advance for bidirectional authentication;

an eighth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to a home session management device;

a ninth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway; the target shared secret is generated by the home session management device according to the target security policy and the reference shared secret.

23. The visited session management device according to any one of claims 14 to 16, wherein the target security policy is obtained by processing the first security requirement set, the second security requirement set, and a third security requirement set according to a preset rule, and the third security requirement set includes at least one of a security requirement of a server providing the target service and a security requirement of a subscription server of the UE.

24. A user device, comprising:

a receiving unit, configured to receive a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set according to a preset rule, the second security requirement set includes a security requirement of a visited gateway and a security requirement of an affiliation gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the affiliation gateway is a user plane gateway used when the UE accesses the own affiliation network;

a generating unit, configured to generate a target shared key based on a reference shared key according to a rule defined by the target security policy; the reference shared key is a basic key of the UE in the home network, or a shared key derived from the basic key of the UE in the home network, or a basic key of the UE in the visited network, or a shared key derived from the basic key of the UE in the visited network; the basic key of the UE in the home network is a key generated by bidirectional authentication between the UE and key management equipment in the home network, and the basic key of the UE in the visited network is a key generated by bidirectional authentication between the UE and key management equipment in the visited network;

25. The UE of claim 24, wherein the reference shared key is a basic key of the UE in the home network or a shared key derived from the basic key of the UE in the home network, and wherein the UE further comprises:

a first authentication unit, configured to perform mutual authentication with a key management device in the home network to generate a basic key of the UE in the home network before the generation unit generates a target shared key based on a reference shared key according to a rule defined by the target security policy.

26. The UE of claim 24, wherein the reference shared key is a base key of the UE in the visited network or a shared key derived from the base key of the UE in the visited network; the user equipment further comprises:

and a second authentication unit, configured to perform bidirectional authentication with a key management device in the visited network to generate a basic key of the UE in the visited network before the generation unit generates a target shared key based on a reference shared key according to a rule defined by the target security policy, where the key management device obtains subscription information of the UE from a network element in the home network in advance for bidirectional authentication.

27. A network roaming protection system, characterized in that the system comprises a visited session management device and a user equipment, wherein:

the visit session management equipment is the visit session management equipment of any one of claims 14 to 23;

the user equipment is the user equipment of any one of claims 24-26.